17

I'm trying to use an existing role (present in the AWS account) in a cloudformation template to setup a lambda function, i plan to be use this across multiple AWS accounts.

In the CF template, I'm using Parameters to set the name of the Role and then using Ref in the Role property for the Lambda function. This is what my template looks like,

"Parameters" : {
  "ExistingRoleName" : {
    "Type" : "String",
    "Default" : "MyCustomRole"
  }
"Resources" : {
  "CustomLambdaFunction" : {
    "Type" : "AWS::Lambda::Function",
     "Properties" : {
      "MemorySize" : "128",
      "Role" : { "Ref" : "ExistingRoleName" },
    }
  },
  ...

However, the CF template fails with the following error :

Properties validation failed for resource CustomLambdaFunction with message: #/Role: failed validation constraint for keyword [pattern]

Is this because Lambda resource in Cloudformation needs the role arn instead of RoleName as i seen in this docaws-resource-lambda-function

Based on which i updated the CF like so,

"Resources" : {
  "CustomLambdaFunction" : {
    "Type" : "AWS::Lambda::Function",
     "Properties" : {
      "MemorySize" : "128",
      "Role" : "arn:aws:iam::AccountID:role/MyCustomRole",
    }
  },

However, i still see the same error.

Properties validation failed for resource CustomLambdaFunction with message: #/Role: failed validation constraint for keyword [pattern]

I was wondering if i'm missing something here ?

Improve this question
2
  • The arn looks fine. Maybe your actually one that you use is incorrect, which is not shown here.
    – Marcin
    Commented Jul 21, 2021 at 3:02
  • Also, I guess AccountID is just a placeholder, not the actual string in your real code?
    – Marcin
    Commented Jul 21, 2021 at 3:04

5 Answers 5

Reset to default
32

The Ref of an IAM Role “returns the resource name”, not its ARN. But you can use GetAtt on the Arn attribute of the role instead.

In JSON:

{"Fn::GetAtt": ["MyRole", "Arn"]}

In YAML:

!GetAtt MyRole.Arn
Improve this answer
2
  • 2
    The documentation for this is scattered over all the individual resource pages. I found this big list useful as a quick reference.
    – De117
    Commented Aug 3, 2022 at 13:24
  • Thank you! Your explanation saved 7 minutes of my time. :)
    – Vladimir Obrizan
    Commented Dec 16, 2023 at 21:03
4

Format to reference the iam role arn
"Role" : { "Fn::Sub" : "arn:aws:iam::${AWS::AccountId}:role/MyCustomRole" }

Improve this answer
1
  • Thank you for the response, i guess this would work as well.
    – nevosial
    Commented Jul 21, 2021 at 4:01
1

In yaml if you are pointing to an already existing role the syntax is:

function:
  ...
  role: !Sub arn:aws:iam::${AWS::AccountId}:role/MyRoleName

Somehow I have forgotten the !Sub in the beginning

Improve this answer
0

This is what worked for me,

"Role": { "Fn::Join" : [ "", [ "arn:aws:iam::", { "Ref" : "AWS::AccountId" }, ":role/MyCustomRole" ] ] }

Improve this answer
0

I was getting the same problem with below syntax -

"Resources" : {
  "CustomLambdaFunction" : {
    "Type" : "AWS::Lambda::Function",
     "Properties" : {
      "Role" : "arn:aws:iam::<account-id>:role/MyCustomRole",
    }
  },

I solved it like this - The issue was that when inserting my AWS account ID in place of "account-id", I was keeping it in the same format as is given on the AWS console i.e. xxxx-xxxx-xxxx. However, the "account-id" space expects "\d{12}" format, i.e. 12 digits only. Removing the '-' in between digits solved the problem for me.

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.